Answers

How to fix sanitize the parameters of SqlCommand?

darma teja

374

My code is like this:

string groupQuery= blabla;
string WhereQuery= blabla;
string cmt= String.Format("selecte * from Customer {0}{1} order by CustomerName", WhereQuery, groupQuery);
SqlCommand cmd1=new SqlCommand(cmt);

everything is working fine. But

at SqlCommand(cmt); Visual studio sugest me to "Make sure to sanitize the parameters of this SQL command"

How can I fix it?

Answers (4)

Hi darma,

In your code ,

tring groupQuery= blabla;

string WhereQuery= "where delete * from customers";

string cmt= String.Format("selecte * from Customer {0}{1} order by CustomerName", WhereQuery, groupQuery);

SqlCommand cmd1=new SqlCommand(cmt);

Try and check what you will get here..

I am not passing any parameters here.

Hi darma,

Yes, I understand. You are not using any parameters. But here You are using where condition.

In that where condition someone can inject your query. example,

lets assume if you have input box to search records in your page, if user enter "Delete * from Customer" what will happen in that. So the reason it asks you to use parameter with value. Understand?

Hi Darma,

Its asking you to use Parameter with value to avoid Sql injection.

Next Recommended Forum

Signal Processing System

How to convert one list to multidimensional array?

Upcoming events

View all

Forum Statistics

Please welcome our newest member .
users have contributed to threads and
In the past 24 hours, we have new threads, new posts, and new users.
In last week, the most popular thread is .

How to fix sanitize the parameters of SqlCommand?

Ramesh Palanivel

darma teja

Ramesh Palanivel

Ramesh Palanivel